Inappropriate use of cloud causes incidents

Some 35% of IT professionals believe cloud providers should turn over encrypted data to government when asked, while 55% are opposed. In addition, 64% of US-based security practitioners are opposed to government cooperation, compared to only 42% of their EMEA counterparts.

This was revealed by a report compiled by data protection company Bitglass in partnership with the Cloud Security Alliance (CSA). The report, Mitigating Cloud Risks, was based on a survey of 176 information security professionals, and delves into how businesses are securing cloud applications, their plans to improve visibility in the cloud, and top security threats.

Over and above government intervention, many businesses say they have experienced cloud security incidents, although these aren't the widespread breaches many anticipated. For the most part, incidents arise from inappropriate use of the cloud, led by unwanted external sharing and access from unmanaged devices.

Nat Kausik, CEO of Bitglass, said: "While hotly contested issues like government intervention remain open, major public cloud vendors have demonstrated that the cloud can be more secure than premises-based applications. The primary open concern is whether enterprises can put policies and controls in place to use the cloud securely."

John Yeoh, senior research analyst at CSA, said the decision as to whether or not a company wants its cloud provider to turn over encrypted data to government when asked is one that all businesses should ask themselves as they embark on a cloud journey.

Yeoh said it is also a crucial question companies should be asking of their cloud providers, as well as a step in what should be a thorough assessment of cloud providers' security measures. "The more information and policy detail that can be clearly spelled out up front, the greater the chance that an organisation will have a successful, long-term relationship with their cloud provider."

Another key finding was that most organisations have experienced some cloud security incident, with 59% related to unwanted external sharing and 47% involving access from unauthorised devices.

Moreover, it was revealed that cloud visibility is lacking. Only 49% of businesses admitted to knowing even the basics, such as where and when sensitive data is being downloaded from the cloud. "In addition, Cloud Access Security Brokers (CASBs) are on the rise, with 60% of companies surveyed saying they have deployed, or plan to deploy a CASB, with data leakage prevention cited as the most important capability."

Finally, the report highlighted that few have taken action to mitigate Shadow IT threats, with 62% relying on written policies as opposed to technical controls.